Communication systems are generally configured to operate in accordance with specified standards. For example, WiMAX systems, which provide broadband access to mobile users and other subscribers, are configured in accordance with IEEE Standard 802.16, described in document P802.16Rev2/D5, “Standard for Local and Metropolitan Area Networks, Part 16: Air Interface for Broadband Wireless Access Systems,” June 2008, which is incorporated by reference herein. This standard specifies the air interface, including the medium access control layer (MAC) and physical layer (PHY), of combined fixed and mobile point-to-multipoint broadband wireless access (BWA) systems providing multiple services. Additional standards governing operation of WiMAX systems are described in WiMAX Forum documents, which are also incorporated by reference herein, including WiMAX Forum Network Architecture—Stage 3—Detailed Protocols and Procedures—Release 1, Version 1.2.3, July 2008.
The above-noted IEEE 802.16 and WiMAX Forum documents specify messaging protocols which are designed to ensure security of communications within a WiMAX system. However, the messaging protocols allow support for different levels of security, from strong security to low-level security to no security at all. Typically, a mobile station will negotiate a portion of its basic security capabilities with a base station before the mobile station is completely authenticated to the system. In a WiMAX system, this initial negotiation between mobile station and base station occurs through the exchange of Subscriber station Basic Capabilities (SBC) Request (REQ) and Response (RSP) messages. As part of this interaction, the mobile station will identify its basic security capabilities to the base station in an SBC-REQ message, and the base station will respond with an SBC-RSP message indicating which of these security capabilities of the mobile station are also supported by the base station and will therefore be utilized in subsequent security negotiations between them. This exchange of SBC-REQ and SBC-RSP messages takes place prior to execution of an Extensible Authentication Protocol (EAP) in which the mobile station authenticates itself to an Authentication, Authorization and Accounting (AAA) server of the WiMAX system via the base station and an authenticator of an Access Service Network (ASN) gateway.
A problem that can arise in an arrangement of the type described above is that it is vulnerable to what is known as a bidding-down attack. In such an attack, the attacker inserts itself between the mobile station and the base station, and impersonates the mobile station to negotiate inferior security capabilities with the base station that are below those actually supported by the mobile station. Once such reduced security is negotiated, the attacker can exploit this vulnerability to conduct additional attacks and to otherwise undermine the security of subsequent communications by the victim mobile station.
One known approach to preventing a bidding-down attack is to modify the messaging protocol such that the EAP authentication process occurs prior to the negotiation of basic security capabilities in the SBC-REQ and SBC-RSP messages. See K. Thakare et al., “Initial Capability Negotiation Procedure for IEEE 802.16m,” IEEE 802.16 Broadband Wireless Access Working Group, September 2008. However, this approach is undesirable in that it would require a substantial change to the WiMAX standards, thereby necessitating costly changes to existing equipment.